Enemy At The Water Cooler

Trent Lucier writes "On most networks diagrams I've seen, the internet looks like a cloud. Sometimes it's a fluffy white cloud. Other times it's a dark ominous cloud. Regardless of the artistic style, the depiction usually conveys the mystery and danger of putting your company's network on a global information grid next to a billion users, kind of like those old maps with dragons drawn at strategic places in the ocean. Not surprisingly, corporations spend much time and energy protecting themselves from The Outside World. In Enemy at the Water Cooler, Brian Contos argues that just as many resources should be spent on defending against insider threats. Will this book help you detect the enemies at your water cooler?" Read below for the rest of Trent's review.

Enemy at the Water Cooler: True Stories of Insider Threats and Enterprise Security Management
author	Brian T. Contos
pages	302
publisher	Syngress Publishing
rating	8
reviewer	Trent Lucier
ISBN	1597491292
summary	A thorough introduction to insider threats and the countermeasures that can be used against them

Contos, a Chief Security Officer himself, has written a primer on insider threats and the counter-measures that can be deployed against them. The book is written for a wide audience, so don't expect low-level details about encryption algorithms and security protocols. However, if you have to deal with a large company's IT infrastructure, you may benefit from Contos' descriptions of enterprise security concepts and anecdotes.

According to the book's terminology, an insider is someone who has more privileges than the common person and uses those privileges to abuse the system. It's important to understand the full scope of the term "privileges". In addition to computer privileges, Contos is also talking about physical access to hardware, paperwork, and even other employees that can be exploited in social engineering attacks. Even if a piece of information is useless to the insider, it may be something that a competitor would be willing to buy for the right price.

The early chapters provide background on all the standard attacks that are in the news these days: phishing, denial of service, keylogging, etc... What makes these sections interesting are the statistics that are sprinkled throughout the text. In a survey conducted by CERT examining known attacks, 49% were committed by insiders that were married. This goes against the profile of the insider being someone who has less personal risk (such as a family) at stake. In fact, the prevailing image of the last 30 years depicting a computer criminal as a socially awkward young male has started to become less accurate as organized crime has turned into the biggest threat.

Enemy At The Water Cooler does a great job of putting statistics in context. The book is always careful to mention that the crime statistics represent only the known incidents. Contos often explains why certain numbers matter. Near a chart showing that 59% of discovered crimes were committed by former employees, the author explains that recently fired employees can be highly motivated to commit revenge and still have access to accounts and passwords, which is a dangerous combination.

How does the book propose that businesses deal with threats? At the end of Part I, Contos introduces a technology called Enterprise Security Management (ESM). This is a blanket term used to describe a collection of enterprise-level tools that can perform information analysis, display event feeds, manage policies, and do everything else in the world besides make toast. The remainder of the book constantly mentions this technology, so if you are not interested in learning about ESM, this book may not be for you.

At this point, it should be noted that Brian Contos is the Chief Security Officer of a company that sells ESM products. The book is neutral on which product you should use, although some screenshots show Contos' program for illustrative purposes. I did not feel that the book was biased or trying to sell me something. Regardless of who the author works for, he makes a compelling argument that ESM systems are necessary for big companies that need to manage their IT security.

Case studies comprise Part II of the book. This is the entertaining stuff, and probably the type of thing most people want to read when they pick up a book called Enemy At The Water Cooler. There are 8 main case studies, each running about 5 pages in length. Contos puts the "study" in "case study" as he illustrates how tools (ESM) and training could prevent many of the scenarios he describes. Those expecting light reading in the form of amusing anecdotes about IT security will be disappointed. However, if you're looking for a detailed analysis of insider crime, these chapters provide it.

Many times, greed and hubris are the ultimate undoing of the insider. In one example, a company discovered that their servers were hosting pirated software. Little did the company know that the employee that was asked to clean up the server was actually the one who put the software there to begin with. The insider would have gotten away with it if only he hadn't bragged to a co-worker about how dim-witted his company was.

In other situations, employees can be blackmailed into committing crimes. In the case of a Spanish company, an employee was forced into planting a wireless access point in one of the development labs. The employee had lied about his educational background on his resume, and criminals threatened to expose him if he didn't cooperate by planting the device.

The final portion of the book discusses further capabilities of ESM. The main point is that ESMs should be able to monitor everything. Contos explains a scenario where an employee pulls financial information from a proprietary system and then uploads it to a P2P network. Most companies do not have the technology to detect such an action. Not that Contos claims technology is the only answer. It is just a tool, and it is useless when not supported by trained employees and policies. At the end of the book, the reader gets information about "soft skill" topics like incident management, hiring processes, and some legal case history regarding insiders.

The book's viewpoint is very top-down with regards to the corporate hierarchy. Executives will no doubt love all the capabilities that Contos claims can be at their fingertips, but individual employees might feel it is slightly Orwellian. Can all this information that the ESM vacuums up be used for evil? The book's implicit answer seems to be "yes", since it is repeatedly made clear that no one can be trusted. But there is never any explicit information given on how the ESM itself can be protected from abuse.

Enemy at the Water Cooler provides a thorough introduction to insider threats and the countermeasures that can be used against them. If you are just interested in stories about insider security crimes, then you may want to pass. (The section on case studies is only about a third of the book's content). However, if you are interested in learning about technology that can help defend against these threats, then this book provides a comprehensive overview.

Trent Lucier is a software engineer. His latest experiment is localhost80.com"

---

You can purchase Enemy at the Water Cooler: True Stories of Insider Threats and Enterprise Security Management from bn.com. Slashdot welcomes readers' book reviews -- to see your own review here, read the book review guidelines, then visit the submission page.

YOU TOOK THE LAST GLASS OF WATER

you have now made an enemy at the water cooler..

re:YOU TOOK THE LAST BIT OF DIGNITY

You're the reason the rest of us have to put up with the kinds of onerous security protocols and limitations the book describes.

No, the reason we have to put up with "the kinds of onerous security protocols..." is that corporations have lost all sense of loyalty to their employees.

My father, three of his brothers and their father all worked for the same company for all their working life. They were well taken care of and they returned that loyalty several times over in the course of their careers.

Today, companies are more concerned with cutting another 10,000 employees so their stock price will jump a few cents for a couple of weeks than creating a relationship of trust and security with their employees. Benefits are cut, unions are fought, jobs shipped overseas and life is generally made as miserable as possible for the people who sweat blood on the shop floor. Meanwhile, the differential between what the CEO makes compared to the average employee has gone from 20 to 1 to 20,000 to 1.

I'm not surprised that corporations find themselves loathed by their employees and having to exert effort and money trying to protect themselves from their own people. What surprises me is that we don't see more all-out sabotage by disgruntled employees.

It's not coincidental that the period of enormous growth and prosperity of the few decades after World War II happened to also be a period of improving conditions, organization and influence for the workers. A period when labor unions were considered a crucial part of the economic system. Those unions were the only reason the US had such a strong and deep middle class from 1950 until their demise began at the hands of that doddering tool of the Right-Wing Rich, Ronald Reagan, who, if God is just, is burning in Hell.

different goals

The goal used to be to make money. Now the goal is to make as much money as possible. Though those seem like similar goals, in reality they aren't. Before, as long as you were making money then you could, with a good conscience, treat your employees well. Now, no matter how much money you're making, you still can't treat your employees well and feel good about it, because every cent spent on human decency is a cent of profit squandered. Also, many companies of old felt that they had a responsibility to their workers, whereas now workers are viewed as an expense, like paper clips or toilet paper. This attitude makes for a hotter stock price, but a worse quality of life for everyone who works there.

Also, CEO pay has skyrocketed in comparison to worker pay, and no company that pays hundreds of millions of dollars to departing executives can also afford to be loyal and supportive to the workers. In the corporate culture of today, executives are seen as the movers and shakers, the visionaries who create the value, while the workers are seen as expenses.

Re:YOU TOOK THE LAST BIT OF DIGNITY

I'm not surprised that corporations find themselves loathed by their employees and having to exert effort and money trying to protect themselves from their own people. What surprises me is that we don't see more all-out sabotage by disgruntled employees.

it happens all the time... but i'll bet it doesn't often make the papers.

the word sabotage comes from the french word "sabot" which is a kind of wooden shoe or clog. during the industrial revolution, angry workers would kick the machines they worked on or throw the shoes into them, resulting in a "clog" in the output.

in the intelligence community, disgruntled soldiers and public servants make some if the best moles or double agents. in government, many whistleblowers act not out of a sense of duty or responsability but as a means of exacting revenge.

Re:YOU TOOK THE LAST GLASS OF WATER

Sure, I guess you could take down their entire system if they fired you. That is, if you're okay with never working in the industry again.

Your career is heavily dependent on your reputation. If you have a reputation as a rogue who will hold the system hostage in order to make yourself indispensable, you will not be hired elsewhere.

In any job, your goal should be to make yourself valuable, not indispensable. Indispensable people make management nervous. If you are truly indispensable, then management's primary goal becomes to make you dispensable as soon as possible, even if they like you. It's the old "What if Person X got hit by a bus tomorrow?" dilemma: nobody wants their entire business to be dependent on any one person.

Beyond that, being indispensable in your current position makes it impossible for you to move up in the company. No one will promote you, because your current position can't be backfilled, since you're the only one who can do it. This is bad for your career.

Oblig

Will this book help you detect the enemies at your water cooler?

All your base are belong to the water cooler!!

No more

We removed our water cooler so that this scenario never happens.

Re:No more

Removing the water cooler isn't enough! You need to get rid of drinking fountains, coffee makers, vending machines, shared refrigerators, wet bars... any place where liquid refreshments might be dispensed. For added security, photocopiers, fax machines, and any other equipment which people might stand in line for or loiter nearby, should also be eliminated. In sensitive environments and military installations, elevators should be replaced by single-file escalators. And water cannons should be used on the smokers who assemble outside. (Not just for security, but for their own good.) It's a jungle in here, people!

Re:No more

Cube farms are a secondary location where many of these attacks can be perpetrated. The only solution is to make each person work in a separate office. For added security, it would be best if each person connected to the network from a different location, unknown to most of the other people. Mandatory full time telecommuting is the only viable solution to combat these security risks.

WAIT!!!

I'm confused here - is he talking about protecting my corporations network from myself?

Visio

Does anyone have Visio stencils of those ominous dragons? I'd love to replace my Internet clouds with these.

Update on the link

I have no idea why Slashdot linked to B & N here, when Amazon has it considerably cheaper [amazon.com] (see the "Used and new from..." listings).

Problems.

While internal security is important but the priority should always be towards protecting your self from external attacks. Internal security problems can be minimized because there is a smaller group of suspects. As well as good hiring practices can reduce it a bit more. Next is the Cost/Benefit of putting the effort into internal security. First there is the cost of designing and implementing then there is the cost of maintaining it and keeping the employees useful. If Employee X needs to put in a request to access some data and it takes a couple of hours to do so that is a time of loss productivity.

Re:Problems.

You are right. The reason we are all running PCs on our desktop instead of terminals hooked to the mainframe is because of this. People were finding that they could be far more productive with a crappy (in comparison to the mainframe) C64 or Apple II than they could with the million dollar mainframe. So, they just circumvented the corporate computers by dropping a PC on their desktop. Eventually corporations had to start supporting the PCs because when they were faced with the dramatic drop in productivity from removing the PC, or the cost of supporting PCs, the choice was obvious.

I would also caution against restricting the individuals PC desktop too much. This can very quickly lead to employees looking for ways to circumvent your security, and create threats that you don't know about. Sometimes this even means making sure the employees computers properly play CDs, and can access entertainments sites on the internet. The best and the brightest often look for the most enjoyable work environment. Being able to listen to their music while working, or taking a short break to see if there will be a new episode of BSG this week could mean the difference between getting someone that is adequate at their job, and getting someone that is great. It could also mean the difference between an employee that dreads coming to work, and someone that looks forward to it.

snitch networks?

So what next - snitch networks? Informants?

Pissed off people (and assholes) will always remain so.

Re:snitch networks?

otherwise known as "HR".

I was waiting for this to get mentioned

Executives will no doubt love all the capabilities that Contos claims can be at their fingertips, but individual employees might feel it is slightly Orwellian. Can all this information that the ESM vacuums up be used for evil? The book's implicit answer seems to be "yes", since it is repeatedly made clear that no one can be trusted.

And that's a problem created by solving the infosec problem.

Employees like to feel trusted. The kinds of security measures that will really protect your information are the kinds of security measures that will create a semi-oppressive environment.

I guess that's something that has to be balanced: the effects of your security implementation on morale/productivity vs the cost of a possible breach

Insiders only 20% of threat

Not quite. Only around 20% of registered, reported attacks come from an insider threat, and of those, only 10% are from IT. You can find this at a Jan 23rd posting on CERT about insider threats.

http://www.cert.org/ [cert.org]

  Therefore, implying that the insider threat looms as large as others is highly divisive and misleading. Further, you can take concrete steps to reduce the risk of an insider threat, while you cannot have that level of impact in threat reduction (vulnerability and asset risk reduction, yes, but not threat) for the rest of the world.

- musides

jumping ship

Every employee thinks about striking out on their own and about taking some data or IP along with them.

Windows Vista Forum [vistahelpforum.com]

Re:jumping ship

It may surprise you to learn that PHP can be run on a Windows system using Microsoft's IIS as its web server.

Wine

In France they have a different approach. At lunch everybody takes a glass of wine and it's considered normal. Should replace the watter with wine and it will drastically reduce security threats :) Len [www.len.ro]

Nice Review

I'm definitely going to be purchasing this book, as we've recently had an 'incident' and in the health care field these kinds of things could mean jail time for me as the person responsible for security thanks to HIPAA.

Who talks at the water cooler anyway?

Can we end the "talking around the water cooler" cliche? Very few people stand around the water cooler. They walk up to it, fill their cup or bottle, and walk away.

If someone wanted to have a good chat with their workmates, they'd wander off to a nearby cafe, where their conversation isn't going to be seen or heard by their managers.

More spinoffs of the terrorist threat

It really sounds to me like this is just a continuing tune on the terrorist theme. Watch out, you aren't safe anywhere, you can't tell who might be out to get you, no one is excluded from suspicion.

My assertion is that looking behind you all the time and treating everyone as a potential threat causes more damage than the problems it supposedly avoids. If the patriot act is the cure, I'd rather have the disease, thank-you. The same goes in the office.

About that cloud

Nothing sinsister about it, I'm afraid. The cloud is used because it does not matter how the internet works, only that you put packets in one place with the right address, and they come out at that address. How they got there, we neither know or care. Hence the cloud, not because there is mystery, but because maybe it's fiber, maybe copper, maybe SDSL, or Frame Relay, maybe it's satellite, maybe it goes via Hamburg, maybe via London, we don't care because it doeesn't matter.

Go off the grid

What if your company's network weren't connected to the internet at all? Naturally, a lot of companies "need" this, but I'm sure there are other companies that can operate fine without the internet at all. Not only does it save the company from worrying about "outside" threats, but I imagine it also helps to deter inside threats. For example, look at the employee that hosted pirated software on company machines. Without the 'net, how is he going to host it?

Self-Generating Problem

I wonder how many companies, in an attempt to defuse "the enemy at the water-cooler", have treated employees with such contempt that they have created even more and more aggressive internal enemies. The more companies treat their employees as adversaries, the more adversaries they create.

Yes, companies should take prudent steps to oversee the security of their networks and systems. But I suspect they need to do more to enlist the aid of the allies at the water-cooler and in creating a positive work environment than in draconian control measures.

big fluffy white clouds are nice, but . . .

The big fluffy, white clouds representing the internet are nice and all, but wouldn't it be more accurate to represent the internet on diagrams with a mugshot of Al Gore, instead?

Danger! Danger Will Robinson!!

(Arms flailing in the air wildly)

What is it with people today who act like working in an office in corporate America is filled with intrigue and tales of espionage? Read this now: CORPORATE AMERICAN OFFICES ARE DULL AS HELL. There are no real secrets because the monkeys who work in these glorified cages have no real power of any kind. They have no knowledge of any value. They are basically button pushers who want to feel important after watching fantasies like Fox television's 24 series. Trust me, I've seen it all from a pretty priveledged position and I can tell you that there's nothing to see. Nothing to worry about when you look at the cubicle farms. The people who really need to be watched carefully are the people doing the watching.

Every Few Months

Every few months someone writes and article or publishes something talking about how insider threats are the largest avenue for security breaches. Usually, they are trying to sell some new "spy on your employees" device. My company even makes a device that tracks employee internet usage and finds abnormalities. We have one deployed internally and anyone can look at it to see what other people have been doing. Sometimes we'll make fun of someone for being the most frequent visitor to Slashdot this month, or some-such. That said, we have deployed an incredibly effective system for stopping insider threats. Such a system used to be commonplace in many companies, but has since fallen into disuse due to modern business strategies and short-term money saving concerns. This fabulous system is called, "beer in the fridge."

By spending a small amount of money to keep the kitchen fridge stocked with free beer for all employees, the company has cheaply bought all our loyalty. Sure we could perform extensive audits and spend time spying on potential insider threats and implement physical security to stop people from bringing in portable drives they could use to steal our customer databases, but really the beer is a lot cheaper. It has added benefits too. If an employee is gets a job offer elsewhere they often ask about the free beer situation. I think it is worth about 20K of salary in most people's comparisons. If people are moving on, they stay in touch with people here and recommend us to work for and to buy products and services from. People give lots of notice and will stay on to finish a project or train someone else. People are a lot more likely to stay late or come in on the weekends to work on something because of the free beer.

Yes, the fabulous "beer in the fridge" system has many advantages.

Treat employees well, like people instead of mercenaries. Be their friend as well as their boss. If they can't come in some day because they have something come up, or an old friend comes into town, let them take a day off. Make sure people don't fear they will be fired because management needs better numbers for the year. Make sure they know they are valued as employees and people. Take them out to lunch now and again or order a pizza, or get free donuts. Well treated people almost never betray their employer and tend to treat their boss well in return. This isn't rocket science.

I have 17 humidifiers running non stop

I have had the shower on for 2 weeks straight.
My internet cloud in my house is really fast now.

does anyone know how to stop all the water from dripping everywhere ?

An acquaintance of mine

An acquaintance of mine has a startup that is devoted entirely to insider security tracing what comes outwards from within the firewall. He says business is very good.

At it's Most Basic...

When people ask me what I do, I reply "Information security for a bank." This typically provokes the follow-up "What does that mean?" My reply has always been "I keep the bad guys out, and the employees in... and the latter is the more difficult."

Why even think about technological solutions?

Banks have been aware of insider threats for centuries. They have a battle-tested set of policies and procedures such as separation of duties to control the threats. Banks have been able to stay in business for a long time before ESM became available.

Banks have also gone out of business due to the insider threat people seem afraid to discuss. There's an old saying, "The best way to rob a bank is to own one". Crooked senior management stole one Sagan (billions and billions) of dollars during the 1980s US savings and loan disaster. Sometimes the thefts are even considered legal, as when a CEO walks away from a ruined company with a hundred million in "performance bonuses". How is ESM going to protect against Ken Lay, who did more damage than any random thousand "disgruntled former employees"? (*)

Banking procedures, such as requiring people to take vacations, have the other advantage that they don't risk violating privacy laws. In some countries you may not be allowed to spy on your workers to the extent you can in others.

(*) Who disgruntled them, anyway?

My name is Milton Waddams

>Will this book help you detect the enemies at your water cooler?

No. I will have to find out myself who took my red stapler.

*walks off muttering*

"Here Be Dragons" on maps

Although this post is technically only relevant to the OP's commentary, please don't mod me OffTopic..

I was wondering, "wtf? dragons? maps?" and rather than post an annoying OT question, I looked it up. Very interesting, and if you're wondering about the OP's reference above, I found a useful page here [maphist.nl] and here [google.com].

And don't flame me for not knowing this either. At least I'm sharing the knowledge now :) -W5i2

THe only enemies at our watercooler are...

ridiculously paranoid and power-crazy sys admins who lock our pcs down so tight its almost impossible to do any software development work on them.

Client firewalls wide open from the inside out

I work for a large security oriented IT company and our managed client firewalls are effectively, wide open from the inside out. We assume that anything inside is fine. This does in fact get us into trouble but it's easier to do that than re architect all our applications to work in bi directionally secure world.

The cost/benefit of paranoia?

I suspect the cost in lost productivity of treating your employees as potential enemies far outweigh the benefit in reduced risk of sabotage and theft. It might not even reduce the risk, people in general have a strange tendency of behaving the way you expect them to, so if you expect them to betray you, they are more likely to do so.

what protects the ESM ..

"At this point, it should be noted that Brian Contos is the Chief Security Officer of a company that sells ESM products"

Ah, So ...

"In one example, a company discovered that their servers were hosting pirated software"

Does the book tell us the names of the companies and the individuals involved.

"In the case of a Spanish company, an employee was forced into planting a wireless access point in one of the development labs. The employee had lied about his educational background on his resume, and criminals threatened to expose him if he didn't cooperate by planting the device"

If this anecdotal evidence is true why would the employee engage in industrial esponage merely to cover up how he lied on his CV, something most everyone does. Do the criminals think no one would find the wireless access point. Why go to the bother since they have a man on the inside.

"Contos explains a scenario where an employee pulls financial information from a proprietary system and then uploads it to a P2P network. Most companies do not have the technology to detect such an action"

Anyone attempting such a thing would first get admin rights on the ESM and delete the audit rail. It's best to login as the PHB as he would never go looking for his own files. If your company can't spot a P2P node on their network then maybe they should be in the sandwich selling business instead.

who is the real threat

anyone with a red stapler muttering to themselves...
or the guy gutting a fish in his cube.

No shit, Sherlock!

Near a chart showing that 59% of discovered crimes were committed by former employees, the author explains that recently fired employees can be highly motivated to commit revenge and still have access to accounts and passwords, which is a dangerous combination.

No shit, Sherlock!